ESET patches vulnerability that causes web browsers to trust untrusted sites
Take action: The issue is not terrible, but is a good reminder to check if your auto-update on ESET tools is working. If you are using ESET products, check to verify your endpoint software has a version after 21st November. Otherwise, initiate the update and monitor that the updates are complete on your infrastructure.
Learn More
ESET, a cybersecurity and antivirus firm, has recently issued updates for a range of its security products, targeting a vulnerability that posed a significant risk to web browser security.
Tracked as CVE-2023-5594 (CVSS score 7.5), this high-severity flaw was found in the SSL/TLS protocol scanning functionality integrated into various ESET products. The vulnerability had the potential to mislead web browsers into erroneously trusting websites secured with certificates that were signed using obsolete and insecure cryptographic algorithms, specifically MD5 and SHA1.
The core issue behind this vulnerability lay in the improper validation process of the server's certificate chain within ESET's secure traffic scanning feature. Due to this flaw, a browser running on a system with an ESET product that had the secure traffic scanning enabled could incorrectly deem a site as trustworthy, even if it was secured with a certificate signed by these weaker algorithms.
The range of ESET products affected by this flaw includes
- NOD32 Antivirus,
- Internet Security,
- Smart Security Premium,
- Security Ultimate,
- Endpoint Antivirus,
- Endpoint Security,
- Server Security,
- Mail Security,
- Security for Microsoft SharePoint Server,
- File Security for Microsoft Azure.
To address this issue, ESET has been deploying patches through automatic product updates since November 21, ensuring that the end-users do not need to take any manual action to secure their systems.
